From 97bae4dd65854316611c8f440176b063b545618b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96zg=C3=BCr=20Kesim?= Date: Sun, 28 Nov 2021 18:43:41 +0100 Subject: [PATCH] [age restriction] progress 5/n - taler-exchange-secmod-rsa - extracts AGE_RESTRICTED per denomination from config - propagates flag for each denomination to server - if age restriction is set for a denomination, age _mask_ is taken (for now!) from config --- src/exchange/taler-exchange-httpd_keys.c | 21 ++++++---- src/include/taler_crypto_lib.h | 4 +- src/include/taler_exchangedb_plugin.h | 4 ++ src/util/crypto_helper_rsa.c | 6 ++- src/util/taler-exchange-secmod-rsa.c | 50 ++++++++++++++++++------ src/util/taler-exchange-secmod-rsa.h | 5 +++ src/util/test_helper_rsa.c | 5 ++- 7 files changed, 71 insertions(+), 24 deletions(-) diff --git a/src/exchange/taler-exchange-httpd_keys.c b/src/exchange/taler-exchange-httpd_keys.c index 5f747cccf..b7359392f 100644 --- a/src/exchange/taler-exchange-httpd_keys.c +++ b/src/exchange/taler-exchange-httpd_keys.c @@ -26,6 +26,7 @@ #include "taler-exchange-httpd_keys.h" #include "taler-exchange-httpd_responses.h" #include "taler_exchangedb_plugin.h" +#include "taler_extensions.h" /** @@ -687,6 +688,7 @@ destroy_key_helpers (struct HelperState *hs) * @param sm_pub public key of the security module, NULL if the key was revoked or purged * @param sm_sig signature from the security module, NULL if the key was revoked or purged * The signature was already verified against @a sm_pub. + * @param age_restricted true, if denomination is age restricted */ static void helper_rsa_cb ( @@ -697,7 +699,8 @@ helper_rsa_cb ( const struct TALER_RsaPubHashP *h_rsa, const struct TALER_DenominationPublicKey *denom_pub, const struct TALER_SecurityModulePublicKeyP *sm_pub, - const struct TALER_SecurityModuleSignatureP *sm_sig) + const struct TALER_SecurityModuleSignatureP *sm_sig, + bool age_restricted) { struct HelperState *hs = cls; struct HelperDenomination *hd; @@ -729,13 +732,17 @@ helper_rsa_cb ( TALER_denom_pub_deep_copy (&hd->denom_pub, denom_pub); GNUNET_assert (TALER_DENOMINATION_RSA == hd->denom_pub.cipher); - // FIXME-OEC: set AGE RESTRICTION (from 'global' variable, - // that itself is set from /managmenet API!) HERE! - // ISSUE: tricky to handle if configuration changes - // between denominations (some with/without age - // restrictions). For that, we probably need to look at - // configuration [$section_name] (!?). + + /* Set age restriction, if applicable */ hd->denom_pub.age_mask.mask = 0; + if (age_restricted) + { + /* FIXME-oec: get age mask from global */ + GNUNET_assert (TALER_EXTENSION_OK == TALER_get_age_mask (TEH_cfg, + &hd->denom_pub. + age_mask)); + } + TALER_denom_pub_hash (&hd->denom_pub, &hd->h_denom_pub); hd->section_name = GNUNET_strdup (section_name); diff --git a/src/include/taler_crypto_lib.h b/src/include/taler_crypto_lib.h index ea53efb66..9e744c8dc 100644 --- a/src/include/taler_crypto_lib.h +++ b/src/include/taler_crypto_lib.h @@ -1362,6 +1362,7 @@ struct TALER_CRYPTO_RsaDenominationHelper; * @param sm_pub public key of the security module, NULL if the key was revoked or purged * @param sm_sig signature from the security module, NULL if the key was revoked or purged * The signature was already verified against @a sm_pub. + * @param age_restricted true, if denomnation has age restriction set */ typedef void (*TALER_CRYPTO_RsaDenominationKeyStatusCallback)( @@ -1372,7 +1373,8 @@ typedef void const struct TALER_RsaPubHashP *h_rsa, const struct TALER_DenominationPublicKey *denom_pub, const struct TALER_SecurityModulePublicKeyP *sm_pub, - const struct TALER_SecurityModuleSignatureP *sm_sig); + const struct TALER_SecurityModuleSignatureP *sm_sig, + bool age_restricted); /** diff --git a/src/include/taler_exchangedb_plugin.h b/src/include/taler_exchangedb_plugin.h index 7b3c3baf2..47504e510 100644 --- a/src/include/taler_exchangedb_plugin.h +++ b/src/include/taler_exchangedb_plugin.h @@ -629,6 +629,10 @@ struct TALER_EXCHANGEDB_DenominationKeyMetaData */ struct TALER_Amount fee_refund; + /** + * Indication if age restriction is set for this denomination + */ + bool age_restricted; }; diff --git a/src/util/crypto_helper_rsa.c b/src/util/crypto_helper_rsa.c index 85741d5e5..d30f8091b 100644 --- a/src/util/crypto_helper_rsa.c +++ b/src/util/crypto_helper_rsa.c @@ -239,7 +239,8 @@ handle_mt_avail (struct TALER_CRYPTO_RsaDenominationHelper *dh, &h_rsa, &denom_pub, &kan->secm_pub, - &kan->secm_sig); + &kan->secm_sig, + (&kan->age_restricted > 0)); TALER_denom_pub_free (&denom_pub); } return GNUNET_OK; @@ -275,7 +276,8 @@ handle_mt_purge (struct TALER_CRYPTO_RsaDenominationHelper *dh, &pn->h_rsa, NULL, NULL, - NULL); + NULL, + false); return GNUNET_OK; } diff --git a/src/util/taler-exchange-secmod-rsa.c b/src/util/taler-exchange-secmod-rsa.c index 343ae3c43..0711fd7a5 100644 --- a/src/util/taler-exchange-secmod-rsa.c +++ b/src/util/taler-exchange-secmod-rsa.c @@ -1,18 +1,18 @@ /* - This file is part of TALER - Copyright (C) 2014-2021 Taler Systems SA + This file is part of TALER + Copyright (C) 2014-2021 Taler Systems SA - TALER is free software; you can redistribute it and/or modify it under the - terms of the GNU General Public License as published by the Free Software - Foundation; either version 3, or (at your option) any later version. + TALER is free software; you can redistribute it and/or modify it under the + terms of the GNU General Public License as published by the Free Software + Foundation; either version 3, or (at your option) any later version. - TALER is distributed in the hope that it will be useful, but WITHOUT ANY - WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR - A PARTICULAR PURPOSE. See the GNU General Public License for more details. + TALER is distributed in the hope that it will be useful, but WITHOUT ANY + WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR + A PARTICULAR PURPOSE. See the GNU General Public License for more details. - You should have received a copy of the GNU General Public License along with - TALER; see the file COPYING. If not, see -*/ + You should have received a copy of the GNU General Public License along with + TALER; see the file COPYING. If not, see + */ /** * @file util/taler-exchange-secmod-rsa.c * @brief Standalone process to perform private key RSA operations @@ -156,6 +156,11 @@ struct Denomination * Length of (new) RSA keys (in bits). */ uint32_t rsa_keysize; + + /** + * Is the denomination age restricted? 0 == false + */ + uint8_t age_restricted; }; @@ -258,6 +263,7 @@ notify_client_dk_add (struct TES_Client *client, an->section_name_len = htons ((uint16_t) nlen); an->anchor_time = GNUNET_TIME_absolute_hton (dk->anchor); an->duration_withdraw = GNUNET_TIME_relative_hton (denom->duration_withdraw); + an->age_restricted = denom->age_restricted; TALER_exchange_secmod_rsa_sign (&dk->h_rsa, denom->section, dk->anchor, @@ -1256,6 +1262,24 @@ parse_denomination_cfg (const struct GNUNET_CONFIGURATION_Handle *cfg, } denom->rsa_keysize = (unsigned int) rsa_keysize; denom->section = GNUNET_strdup (ct); + if (GNUNET_OK == (GNUNET_CONFIGURATION_have_value (cfg, + ct, + "AGE_RESTRICTED"))) + { + enum GNUNET_GenericReturnValue ret; + if (GNUNET_SYSERR == (ret = GNUNET_CONFIGURATION_get_value_yesno (cfg, + ct, + "AGE_RESTRICTED"))) + { + GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR, + ct, + "AGE_RESTRICTED", + "Value must be YES or NO\n"); + return GNUNET_SYSERR; + } + denom->age_restricted = (ret == GNUNET_OK) ? 1 : 0; + } + return GNUNET_OK; } @@ -1522,8 +1546,8 @@ main (int argc, (void) umask (S_IWGRP | S_IROTH | S_IWOTH | S_IXOTH); /* force linker to link against libtalerutil; if we do - not do this, the linker may "optimize" libtalerutil - away and skip #TALER_OS_init(), which we do need */ + not do this, the linker may "optimize" libtalerutil + away and skip #TALER_OS_init(), which we do need */ TALER_OS_init (); now = now_tmp = GNUNET_TIME_absolute_get (); ret = GNUNET_PROGRAM_run (argc, argv, diff --git a/src/util/taler-exchange-secmod-rsa.h b/src/util/taler-exchange-secmod-rsa.h index b0fdfbd96..9207e705a 100644 --- a/src/util/taler-exchange-secmod-rsa.h +++ b/src/util/taler-exchange-secmod-rsa.h @@ -77,6 +77,11 @@ struct TALER_CRYPTO_RsaKeyAvailableNotification */ struct TALER_SecurityModuleSignatureP secm_sig; + /** + * Indicator for age restriction + */ + uint8_t age_restricted; + /* followed by @e pub_size bytes of the RSA public key */ /* followed by @e section_name bytes of the configuration section name diff --git a/src/util/test_helper_rsa.c b/src/util/test_helper_rsa.c index 14ff2bfab..80a36fd0d 100644 --- a/src/util/test_helper_rsa.c +++ b/src/util/test_helper_rsa.c @@ -133,6 +133,7 @@ free_keys (void) * @param sm_pub public key of the security module, NULL if the key was revoked or purged * @param sm_sig signature from the security module, NULL if the key was revoked or purged * The signature was already verified against @a sm_pub. + * @param age_restricted indication if denomination is age restricted */ static void key_cb (void *cls, @@ -142,7 +143,8 @@ key_cb (void *cls, const struct TALER_RsaPubHashP *h_rsa, const struct TALER_DenominationPublicKey *denom_pub, const struct TALER_SecurityModulePublicKeyP *sm_pub, - const struct TALER_SecurityModuleSignatureP *sm_sig) + const struct TALER_SecurityModuleSignatureP *sm_sig, + bool age_restricted) { (void) cls; (void) sm_pub; @@ -186,6 +188,7 @@ key_cb (void *cls, keys[i].validity_duration = validity_duration; TALER_denom_pub_deep_copy (&keys[i].denom_pub, denom_pub); + /* FIXME-oec: take age_restriction into account!? */ num_keys++; return; }